Weekly Digest, 5-3-09

Apologies for the 3 week gap in “weekly” posts. I was taking a vacation in Hawaii (pics!) and took a bit of time to enjoy life offline 🙂

Trevor’s Links

Geocities: Lessons So Far

Geocities was once called Beverly Hills Internet. The company was founded in 1994 but it wasn’t until mid-1995 that they publically offered what people now think of as a Geocities trademark: free webpages, or “homesteads”. [An article about the Archive Team trying to save Geocities content before Yahoo takes it down.]

How the OAuth Security Battle Was Won, Open Web Style – ReadWriteWeb

At some point in conversation Hammer-Lahav realized that the problem went far beyond the Twitter implementation. The OAuth protocol had an inherent vulnerability; big companies like Google, Netflix and Yahoo had implemented OAuth and scores of tiny startups had too… OAuth has support, but it doesn’t have a centralized authority ready to deal with problems like this. Over the next week a story unfolded as the community moved to deal with the security issue. It’s a dramatic story.

Tell me your best worst joke, Reddit.

[Includes such classics as: What’s brown and sticky? A stick. — Why does Snoop carry around an umbrella? Fo Drizzle. — and, my personal favorite: Two snares and a cymbal fall off a cliff.]

Welcome to the Anti-Pitch

We’re sick and tired of hack developers ripping off naive clients. And while I’m completely disgusted by some of the horror-stories I’ve heard lately, clients keep asking the wrong questions. As real developers, it’s our responsibility to make the tough decision to speak the truth. This is an example of what we call the anti-pitch. [Excellent. I’m using this technique next time I’m dealing with potential clients.]

What Twitter Looks Like For Twitter Employees

…hackers sent them screenshots from the site Twitter employees use to manage the microblogging service, admin.twitter.com… [It’s amazing to see all of the back-end stuff necessary to run something so “simple” as Twitter.]

Honeypot filter as a Rack middleware

Our site’s suggestion box got hammered by a spambot recently, so I created this simple Rack middleware to protect our app from any requests that include a honeypot field.

Rails Edge: Implement FooController.action(:name)

Rails actions are now Rack endpoints, and can be retrieved via FooController.action(name) and called with an env.

Make your site faster and cheaper to operate in one easy step

Is your web server using using gzip encoding? Surprisingly, many are not. I just wrote a little script to fetch the 30 external links off news.yc and check if they are using gzip encoding. Only 18 were, which means that the other 12 sites are needlessly slow, and also wasting money on bandwidth.

Passenger: Command line done right

What’s really great about Passenger is that the attention to detail doesn’t end at the installer. The Linux process list is a list of programs that are currently running. Usually, programs are shown in this list by their command line name, often an indecipherable mix of letters and numbers. Passenger processes are easy to spot and easy to understand. Human readable names in a machine-centred interface.

Muxtape Pushes Play Again

Muxtape’s stock parts are highly regimented, allowing bands to express themselves with freedom, though not completely freely. Every component is 300 pixels square, and there is virtually zero layout flexibility; you can have whatever arrangement you like, so long as it comes in rows of three. What’s more, for now there are no ‘social’ components to draw upon; no commenting, no friending, no favoriting, etc. The new Muxtape platform is nothing if not regimented.

An Aspirational Twitter

Tweetie is a desktop version of an application of the same name for the iPhone which, in my limited experience, is the first time an application has migrated from the phone to the desktop. As a friend mentioned, “Platform merge in progress!” and he’s right… When I use Tweetie, I’m reminded that a maniacal attention to detail not only makes you want to reach out and touch the digitally untouchable, it describes the familiar as the new, and, most importantly, it speaks of an aspirational future.

adamsanderson’s open_gem

Gem Command to easily open a ruby gem with the editor of your choice. [Awesome. See the Issues tab for detail, but you need to set GEM_OPEN_EDITOR to ‘mate’ in your bash profile despite what the instructions might say.]

Tweetie for Mac

You can download the free version, which is ad-supported, and try it out for as long as you want. [The only Twitter client I’ve been able to use, aside from Tweetie on the iPhone.]

Benchmarking your Rails tests

The first step to faster tests is knowing what is slow. Fortunately, this is dead simple with the test_benchmark plugin by Tim Connor, and originally built by Geoffrey Groschenbach. Install the plugin, and when you run your tests via Rake, you’ll see handy output showing you the slowest tests, and the slowest test classes.

Twitter Clients Are a UI Design Playground

But perhaps the most important factor that has made Twitter such a rich category for client software is that there is so little friction to switch between apps. There’s nothing to import or export, and zero commitment.

Venture Capital Down 50%. It’s Not Just the Recession, Folks.

There’s a huge difference between what venture capitalists say and what they do. [VC] fell off a cliff in 2001 and 2002 and it’s falling off a cliff now.

A Painful Decision

I can’t reveal details without breaking confidences, but suffice it to say that a significant number of Rails core contributors – with leadership (if that’s the right word) from DHH – apparently feel that being unwelcoming and “edgy” is not just acceptable, but laudable. The difference between their opinions and mine is so severe that I cannot in good conscience remain a public spokesman for Rails. So, effective immediately, I’m resigning my position with the Rails Activists. [I haven’t gotten up to speed with the controversy around this issue, but I can say for certain that Mike Gunderloy stepping back from his participation in the Rails community is a real serious bummer.]

Heroku – Commercial Launch

We have over 25,000 apps running on the platform today, and many of our users have been asking for pricing and paid services for some time now. So today we’re pleased to announce that we are officially out of beta and available for commercial use.

ShakeItPhoto Launches

It’s been 3 months in the making and 3 months of waiting for Apple approval, but wait no more… ShakeItPhoto is ready for download at the iTunes App store for the low price of 99 cents. Take a photo and shake it like a polaroid to make it develop!

GitHub Issue Tracker

It gives us great pleasure to announce our integrated issue tracking system! On repository pages you’ll now see an “Issues” tab in the top menu.

Phusion Passenger 2.2.0 w/ Nginx support

After spending weeks on further development and intensive testing, we’ve now come to the point wherein we have the distinct honor to announce Phusion Passenger for Nginx as an addition to the Phusion Passenger server line-up.. Our thanks goes out to Engine Yard for financially sponsoring this first release of Phusion Passenger for Nginx, as well as all the people who have in some way donated in the past for making this release possible in the first place.

Is Open Source Experience Overrated?

Just as commercial software can’t possibly exist without customers, perhaps open source experience is only valid if you work on a project that attains some moderate level of critical mass and user base. Remember, shipping isn’t enough. Open source or not, if you aren’t building software that someone finds useful, if you aren’t convincing at least a small audience of programmers that your project is worthwhile enough to join… then what are you really doing?

Rails 2.3.2 upgrade gotchas

With the latest stable release of rails out the door for about a month, we’ve had a chance to upgrade the bulk of the applications we maintain to Here are some “gotchas”, aka issues, aka roadblocks to Strategic Enterprise Adoption that we discovered while upgrading some of them.

Draft: The problem with Project Management tools

While I agree that it’s important to release code, I think pivotal and other similar tools lead to a mindset where releasing code is in itself the unit progress. But, as any successful team will tell you, completed tickets and releases released are horrible units of progress, since unless your customers love every single thing you do (they don’t), your unit of measurement becomes the amount of features and changes deployed.

Clone TinyURL in 40 lines of Ruby code

I wrote Snip with Sinatra then deployed it up to Heroku so this is also a good excuse also to describe Heroku, a truly amazing service for the Ruby programming community. The total number of lines in Snip is actually 43, in a single file named snip.rb. including the view template and layout. [It’s amazing what you can accomplish with Sinatra and Heroku.]

ruby gc tuning

In my experience, a typical production Rails app on Ruby 1.8 can recover 20% to 40% of user CPU by applying Stefan Kaes’s Railsbench GC patch to the Ruby binary, and using the following environment variables…

Customer driven iteration vs Whiteboard driven iteration

Customer driven iteration takes customer validation rather than released features as its core unit of progress. It assumes that you have not accomplished anything and therefore cannot feel good until your metrics tell you that your market will use and pay for your stuff.

Can the Statusphere Save Journalism?

…the discussion shifted to deep conversation about the future of journalism in the era of socialized media with one simple question, “are newspapers worth saving?” Walt thought for no more than two seconds and assertively replied, “It’s the wrong question to ask. The real question we should ask is if whether or not we can save good journalism.”

Are Blogs Losing Their Authority To The Statusphere?

Attention is engaged at the point of introduction, and for many of us, we’re presented with worthwhile content outside of our RSS readers or favorite bookmarks. Relevant and noteworthy updates are now curated by our peers and trusted or respected contacts in disparate communities that change based on our daily click paths… Retweets (RT) and favorites in Twitter, Likes and comments in FriendFeed and Facebook, posting shortened links that connect friends and followers back to the source post, have changed our behavior and empowered our role in defining the evolution of the connectivity and dissemination of information.

jamis’s safe_mass_assignment

ActiveRecord plugin for allowing (careful) mass assignment of protected attributes, separate from values provided via users of your application.

Timothy’s Links

Sébastien Wains » Howto : setting up dns2tcp

For the “I can’t browse from work” crowd or the “stuck behind the Great Firewall of China” set, there are any number of high-visibility, high-availability solutions: tor, your buddy’s apache proxy, etc. For those who want to try an obscurity/security/proxy solution that’s a little closer to the metal, there’s dns2tcp via ssh which, predictably, sends your encrypted traffic from your computer out of your network as a dns request and returns it the same way: you’re secure going out and you’re not sending up big, “hey everybody: look at my port 80 requests!” red flags to the secret police or the sysadmin or whomever. Cool stuff.

Securing a Web server

This is a pretty good read: it’s got a little too much depth to be considered a crash course, but it’s too abstract to be a tutorial or how-to. A nice, mid-level view of best security practices.

Twitter + Stimulus = Conservative Stupidity

Normally I wouldn’t bookmark DailyKos–that would be kind of like bookmarking HuffPo or Reddit–but this is a neat little article about social engineering / industrial espionage that involves exploiting confirmation bias among partisans. Short read. Good read.

Lifehacker – Should Comic Sans Be “Banned”? – Fonts

This made me laugh out loud. It may make you laugh out loud as well.

Convert files and data online

Supposedly this is the best online format converter. Handy in a pinch (or if you’re tired of your CLI converters screwing the pooch on higher ascii and spitting out comic book character swears in place of kanji).

Testing mail servers with swaks

At first glance, this looks like a “for Dummies” tutorial for a piece of software that is, essentially, “telnet for Dummes”. But swak lets you do something that you can’t (easily) do with plain, old-fashioned telnet. You can, for instance, set a timeout time, specify authentication types, etc. with a commandline flag or two. Handy if you’re troubleshooting that new mail server install or doing some eyeball/ball park benchmarking.

Introduction to Quality Assurance and Metrics

If you’re looking for a no-bullshit crash course in QA/QC that has decent depth, look no further.

Fujitsu Develops High-Speed Image-Capture Technology for Palm Vein Biometric Authentication : Akihabara News .com

Palm vein biometric authentication? Seriously? I mean, I guess super-futuristic biometric auth devices that scan _inside_ the body for unique identifiers are kind of cool in an aesthetic sense, but they’re certainly not very cool from a security sense: I thought we had agreed as a global society that physical objects, no matter how apparently unique they are, are unsuitable for secure auth because they are, at the end of the day, still just objects. And all objects can be replicated.

Skimmers: Reader Finds Card Skimmer On Bank ATM

First reaction: “wow that’s totally awesome–I can’t believe someone came up with this.” Two seconds later’s reaction: “wow, my opinion of the human race just got ratcheted down a peg or two: I can’t believe it took us this long to invent the ATM card data skimmer.”

The peasant mentality lives on in America

You know, three weeks ago, I had no idea who Matt Taibbi was. Then, courtesy of reddit, I got put on to his write-up of the Meltdown and I’ve been hooked. This guy hits hard, doesn’t pull punches and walks the stylistic tightrope between the unnaturally polite tenor of expose journalism and the warbling catachresis of incendiary blogging.

What happens if I don’t pay my taxes?

This is a good article because a.) it’s timely and b.) is written from a hacker perspective/mentality. It starts with the question, “what is the nature of the system?” and then wonders about different methods of potentially short-circuiting it or circumventing aspects of it. Kind of makes taxes fun. Almost.

What to do when the root partition is full?

This is a good list of comments to scroll through as it discusses Linux mounting tricks, how to use LVM and, basically, lists reasons why not to panic. And, I don’ t know about you, but the fewer reasons I have to panic, the better.

Thanko’s Latest 4GB Necktie Camera

Yeah, it’s basically just a flat camera and a necktie that’s been cut open in the back, but the idea is still totally effinf awesome.

A Short Introduction To Cron Jobs

There are two reasons that introductory level, “how to” type documents for the basics of Linux administration are so ubiquitous: those reasons are that they’re useful for experienced users to a.) write and b.) comment upon and they’re useful for inexperienced users looking things up. This one is about cron and using crontab. And it’s a great example of that.

Published by

Trevor Turk

A chess-playing machine of the late 18th century, promoted as an automaton but later proved a hoax.

3 thoughts on “Weekly Digest, 5-3-09”

Comments are closed.